Hello, The following program triggers slab-ouf-of-bound write: https://gist.githubusercontent.com/dvyukov/c4941c67e2eb5be314b902b17dc089df/raw/4f1844d19f6308135ca14c7f28e0898da1b363de/gistfile1.txt On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11). BUG: KASAN: slab-out-of-bounds in __rtc_irq_eoi_tracking_restore_one+0x33b/0x350 at addr ffff88003bd82b7c Write of size 1 by task syz-executor/5031 CPU: 3 PID: 5031 Comm: syz-executor Not tainted 4.9.0-rc4+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88006d0df6b8 ffffffff81c2e46b ffff88003e80cf40 ffff88003bd82568 ffff88003bd82ea0 0000000000000001 ffff88006d0df6e0 ffffffff8165ab9c ffffed00077b056f ffffed00077b056f ffff88003e80cf40 ffff88006d0df760 Call Trace: [<ffffffff8165b257>] __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:331 [<ffffffff8112aa3b>] __rtc_irq_eoi_tracking_restore_one+0x33b/0x350 arch/x86/kvm/ioapic.c:128 [<ffffffff8112be26>] kvm_rtc_eoi_tracking_restore_one+0x66/0x90 arch/x86/kvm/ioapic.c:142 [<ffffffff81125325>] kvm_apic_set_state+0x9b5/0xde0 arch/x86/kvm/lapic.c:2091 [< inline >] kvm_vcpu_ioctl_set_lapic arch/x86/kvm/x86.c:2834 [<ffffffff810a8b1d>] kvm_arch_vcpu_ioctl+0x155d/0x3100 arch/x86/kvm/x86.c:3337 [<ffffffff810608b2>] kvm_vcpu_ioctl+0x1e2/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2708 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679 [< inline >] SYSC_ioctl fs/ioctl.c:694 [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2 Object at ffff88003bd82568, in cache kmalloc-2048 size: 2048 Allocated: PID = 5018 [ 2761.628607] [<ffffffff811abb36>] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 2761.628607] [<ffffffff81659ee6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 2761.634614] [< inline >] set_track mm/kasan/kasan.c:507 [ 2761.634614] [<ffffffff8165a15d>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 2761.639003] [<ffffffff816557f8>] kmem_cache_alloc_trace+0xf8/0x280 mm/slub.c:2735 [ 2761.639003] [< inline >] kmalloc include/linux/slab.h:490 [ 2761.639003] [< inline >] kzalloc include/linux/slab.h:636 [ 2761.639003] [<ffffffff8112cbc1>] kvm_ioapic_init+0x51/0x5d0 arch/x86/kvm/ioapic.c:611 [ 2761.639003] [<ffffffff810ab9e4>] kvm_arch_vm_ioctl+0xfb4/0x1c10 arch/x86/kvm/x86.c:3914 [ 2761.639003] [<ffffffff81065e93>] kvm_vm_ioctl+0x193/0x1670 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3097 [ 2761.639003] [< inline >] vfs_ioctl fs/ioctl.c:43 [ 2761.639003] [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679 [ 2761.639003] [< inline >] SYSC_ioctl fs/ioctl.c:694 [ 2761.639003] [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [ 2761.639003] [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2 Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff88003bd82a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003bd82a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88003bd82b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88003bd82b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003bd82c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
